Recently bigfix service account disabled by AD Team by saying it was hitting DC so hard, as per them they received 23000 hits from that service account.
And when I looked into logs I getting these error msg, what does these mean ? why they start occurring ? what could be the root cause & solution for it.
Tue, 08 Nov 2016 01:49:38 -0600 - /data/ldap-users-with-membership (4944) - Socket Error: Windows Error 0x2745: An established connection was aborted by the software in your host machine.
Thu, 10 Nov 2016 10:30:16 -0600 - /data/ldap-users-with-membership (5724) - Uncaught exception in plugin data with client x.x.x.x: Socket Error: Windows Error 0x2745: An established connection was aborted by the software in your host machine.
Not a lot of details there, but it sounds like your client is terminating the LDAP connection. One likely cause is that you’re configured to use LDAP over SSL, but have not configured your host to trust the certificate that is being used by the Domain Controller.
…My setup has been LDAP over SSL for years. I’m afraid I don’t recall whether the config involves making Windows trust the Certificate Authority that issues the domain controller certificates, or whether that was internal to the BES software.
The client should only be attempting to get data once every 12 hours and once when a user logs in by default.
This shouldn’t be occurring based off the agent itself but you don’t specify which service if it is an agent or server etc so you’d need more details.
The BESRelay.log snip you provided doesn’t show much activity - those events are over 48 hours apart. Could those log entries be a result of your AD team disabling the BES service account?
And, you must consider the possibility that 23000 hits from the service account may indicate an actual attack, someone attempting to guess the account’s credential, and not traffic coming from BigFix at all.
I liked it but how to prove that where do I exactly look for evidence, before service account got disabled I enabled webreport logging for all activities would that be a reason as in just couple of minutes these log files got increases to 1GB & more but when I looked into file I didnt see any error.
Your Active Directory team may help with attack indicators, if you don’t have a dedicated intrusion prevention team. The first indicator would be for failed logons for your BES service account, originating from a system that is not your BES Server.
@AlanM, @JasonWalker , @jgstew (marked you all 3 to just get better clarity on this question) While looking into logs I found there were multiple numbers of failed attempts from 2-3 user ID (domain ID) so question is if user is logged into console & somehow his/her ID’s passwd got reset/changed/locked, can create multiple hits to DC if console remain open with that ID for couple of hrs.
And if our console getting one failed attempt then it will be one failed attempt for DC too or there will be multiple hits corresponding to one failed attempt in console.
Most importantly, when we have configured service account in our LDAP directory for AD authentication so with above mentioned scenario, will DC receive hit from service account or that hit will be from same ID that got failed attempt at DC side.
I’m not sure of all the uses (note I do NOT work for IBM, I’m just another customer). One thing I know that it does, is use the Service Account to query AD to retrieve a list of user accounts and group memberships (for mapping to Roles/Groups/etc.)